Identity And Access Management

What Is Privileged Access Management, And Why Is It So Important?

Expert Insight met with Terence Jackson, CISO at Privileged Access Management vendor Thycotic, to talk about the importance of managing identities and protecting your privileged accounts

Expert Insights Interview With Terence Jackson Of Thycotic

Thycotic is a leading vendor in Privileged Access Management (PAM). PAM is an important aspect of identity and access management that emphasizes protecting privileged accounts, ensuring that they are protected from credential theft and unsafe practices.

At RSAC 2020, we spoke to Thycotic’s Chief Information Security Officer (CISO) Terence Jackson to talk about the Thycotic platform, the importance of privileged access management, and the future of passwords.

What is Privileged Access Management?

Throughout the enterprise, users rely on usernames and passwords to access services and devices. The security of each of these accounts is hugely important, but protecting privileged accounts is crucial. Privileged accounts have administrative level access, allowing users to make configuration changes to services and devices.

The need for password management, and in particular PAM, comes from the difficulty of managing all of the different accounts and passwords in an organization securely.

“Typically, there are five times more passwords in an environment than people,” Jackson says. “That is problematic when passwords are not managed or rotated in a proper way. IT departments create password systems, but passwords often don’t get saved, or they never get rotated.” If privileged accounts are not properly secured, organizations are vulnerable to compromise. 

PAM solutions, like Thycotic, solve the problem of managing the life cycle of privileged accounts, including how they are created and rotated, Jackson says. Key features of these solutions include creating audit trails that show which privileged accounts did what and when. They also provide workflows, and multi-factor authentication. “We secure the keys to the kingdom,” Jackson summarizes.

Why is Privileged Access Management Important?

Protecting high-level admin accounts is a crucial component of a strong security strategy against external cyber-threats, no matter what your organization size or industry. “If you look at data breaches, usually the adversary is after some sort of admin-based credentials, so they can either extract data, make configuration changes, or start prepping in the case of ransomware,” Jackson says. 

But as well as the outside threat from cyber-criminals, PAM is crucial to make sure your organization is protected from insider threats, from users already in your network environment.

“If you’re not tracking who is accessing what accounts, you really don’t know what’s happening across the enterprise,” Jackson says. He says that without proper account and password management, with visibility into which who is accessing what data, enterprises are at significant risk of rogue users being able to compromise sensitive data. If passwords are not managed and rotated regularly, even employees who have left the organization may still be able to access this data.

“We’re trying to help organizations prevent data theft, ransomware attacks and data exfiltration,” Jackson says. “Users need the ability to audit account management, rotate passwords either after each use, or every 30 days. In some cases, organizations go as far as never exposing passwords to the end user.”

Instead, users get access through role-based access controls and single sign-on, tied in with multi-factor authentication. With Thycotic, users can log into the connection manager tool, and get access to all of the accounts that they should be able to access, without ever having to know a password.

The Problems with Privileged Access Management

Organizations are living, breathing entities, with employees needing to access accounts with as little friction as possible. When there are five times as many passwords as people, managing access can seem like a very frustrating task. Is there a friction between PAM and employees that need to just get access and do their jobs?

“The short answer is yes,” Jackson says, “If it’s not done properly.” Jackson says that Thycotic have a focus on user experience and making the login process as frictionless as possible. He also advises organizations not to consider PAM solutions that will force the customer to change their process, but instead look for a solution that will fit the way they currently work.

“Having an adaptable and configurable solution really reduces the friction,” Jackson says. Having a difficult to use solution in place causes a lot of friction and anger with end users, which in turn makes the solution less secure overall.

“People are resourceful,” he says. “If they don’t like the way something works, they’ll find backdoors and other ways around. We don’t want to make the organization less secure post-install than they were pre-install!”

“So, a lot of thinking goes into the design of the product and making sure it’s not something that will cause friction within the organization.”

The Future of Passwords

Passwords are notoriously insecure. Despite years of IT teams doing their best to push best password practices, it’s still all too often the case that users choose unsecure passwords, and reuse passwords across the enterprise. This has led many to predict that the password could soon be gone completely, at least in the eyes of the end user, in order to improve the security of accounts generally.

“I think the demise of the password has been greatly exaggerated,” says Jackson. “In regard to end users logging into their devices, absolutely passwords are on the way out. But there are often forgotten passwords. If you look at most organizations, they have tones of systems, and a lot of the authentication that happens isn’t necessarily humans logging in or interacting with passwords. For example, there is application to application passwords and developers put passwords in scripts that are running other services. Those passwords are probably not going anywhere anytime soon.”

Instead, Jackson believes there will be more focus on measures to make sure password policies and best practices are followed now, such as following NIST guidance on passwords, and of course implementing PAM to ensure that those crucial privileged accounts are protected.

Thinking of Implementing a Privileged Access Management Solution?

Jackson’s advice for organizations considering a PAM solution is to look for an adaptable and flexible platform. “Look at solutions that will be adaptable to the way that you work, and not the other way around,” he says.

“Also, look at the roadmap, look at where the company is going in two or three years, not just quarter three or four this year. You want to look at a company that has the ability to be agile, but also has an API first approach that can integrate with the other tools you already have.”

“PAM is part of the journey, not the destination, so have a road-map and make sure you communicate with your team and wider operation, which will allow for your overall security strategy to progress.”

Editorial note: As of 2023, Thycotic merged with Centrify and is now known as Delinea.